CompTIA Security Plus Mock Test Q1357

An intrusion has occurred in an internet facing system. The security administrator would like to gather forensic evidence while the system is still in operation. Which of the following procedures should the administrator perform FIRST on the system?

A. Make a drive image
B. Take hashes of system data
C. Collect information in RAM
D. Capture network traffic

Correct Answer: D
Section: Mixed Questions